How does subdomain discovery work?

We query certificate transparency logs (crt.sh) which record every SSL certificate issued, and passive DNS databases with historical resolution data.

What are the security uses?

Security researchers use subdomain enumeration to find forgotten or poorly secured services and map an organisation's attack surface.

Is querying subdomains legal?

Querying public certificate transparency logs is legal. Always have permission before testing or scanning discovered subdomains.

Security Tool

Subdomain Finder

Discover all subdomains of any domain using Certificate Transparency logs and passive DNS. Live DNS resolution status, copy buttons and CSV export. Free, no signup.

Domain Name

Try: github.com · cloudflare.com · netflix.com

How It Works

1️⃣

CT Log Query

Every SSL certificate issued for any subdomain is publicly logged. We query crt.sh — the largest public CT log aggregator — directly from your browser.

2️⃣

Passive DNS

We also query AlienVault OTX for passive DNS data — historical DNS records that catch subdomains not visible in CT logs.

3️⃣

DNS Resolution

Each discovered subdomain is checked live against Google DNS to confirm whether it is currently active or historical.

4️⃣

Results

A clean sortable table with first/last seen dates, live status, IP addresses, copy buttons and CSV/TXT export.

What are Certificate Transparency logs?+

CT logs are mandatory public records of every SSL/TLS certificate issued by trusted Certificate Authorities (RFC 6962). Since HTTPS is now near-universal, CT logs capture 90–95% of active subdomains at zero cost — it is the most reliable free source for subdomain discovery.

Why are some subdomains shown as inactive?+

A subdomain may have had a certificate issued in the past but its DNS record has since been removed. These historical subdomains are still valuable — forgotten staging environments, old API endpoints and decommissioned services are common sources of vulnerabilities.

Are there subdomains this tool might miss?+

Subdomains that have never had an SSL certificate and do not appear in passive DNS databases will not be found. For exhaustive enumeration, combine these results with DNS brute-forcing using a wordlist tool like Subfinder or Amass.

Is this legal to use?+

Yes — this tool queries entirely public data sources. No requests are sent to the target domain itself. CT log queries and passive DNS are standard OSINT techniques. Always ensure you have authorisation before testing any discovered subdomains for vulnerabilities.

Why is there a 500 subdomain limit?+

Large domains (Google, Microsoft) have hundreds of thousands of CT log entries. We cap at 500 to keep results fast and practical. For comprehensive enumeration of very large domains, CLI tools like Subfinder are more suitable.

What is Subdomain Enumeration?

Understanding this tool helps you get the most from it. This page provides a comprehensive explanation of the technology, common use cases, and how to interpret the results.

Why Discover Subdomains?

Each result is explained in plain English so you can take action without needing technical expertise. The tool checks against up-to-date databases and standards.